darkcomet | fed56117e88f7dd3664190e9dbc2b55411efe9a793aa1a7dac358d7d34f66170

General

Target

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Size

848KB
MD5

08cf2a748bbae2d923864859b7399b72
SHA1

6dbaa83040a728d12a817c74708016f707f7a506
SHA256

fed56117e88f7dd3664190e9dbc2b55411efe9a793aa1a7dac358d7d34f66170
SHA512

6a358f1ff7d3a0263e52a4d5fcff7cb95141a93dbbaf509e9d9d85004ed291fbd4156a18b017d819cd9210c05c3f5ab657d92c6496610220298d11038b4e0e38
SSDEEP

24576:d3nbWmJVJFwSddIXvfhqbiaxvRxq95HD0QZh9u:pamdZdcBYy0

Score

10^/10

darkcomet persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\Dastan\\msdcsc.exe"	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

Drops file in Drivers directory 1 IoCs

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

description ioc process

File opened for modification C:\Windows\system32\drivers\etc\hosts 08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Executes dropped EXE 1 IoCs

Processes:

msdcsc.exe

pid process

2440 msdcsc.exe
Loads dropped DLL 2 IoCs

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

pid process

2252 08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
2252 08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

pid	process
2440	msdcsc.exe

pid	process
2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dastan = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Dastan\\msdcsc.exe"	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

msdcsc.exe

description pid process target process

PID 2440 set thread context of 2584 2440 msdcsc.exe iexplore.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	pid	process	target process
PID 2440 set thread context of 2584	2440	msdcsc.exe	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exemsdcsc.exeiexplore.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeSecurityPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeBackupPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeRestorePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeShutdownPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeDebugPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeUndockPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: 33	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: 34	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: 35	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2440	msdcsc.exe
Token: SeSecurityPrivilege	2440	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2440	msdcsc.exe
Token: SeLoadDriverPrivilege	2440	msdcsc.exe
Token: SeSystemProfilePrivilege	2440	msdcsc.exe
Token: SeSystemtimePrivilege	2440	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2440	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2440	msdcsc.exe
Token: SeCreatePagefilePrivilege	2440	msdcsc.exe
Token: SeBackupPrivilege	2440	msdcsc.exe
Token: SeRestorePrivilege	2440	msdcsc.exe
Token: SeShutdownPrivilege	2440	msdcsc.exe
Token: SeDebugPrivilege	2440	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2440	msdcsc.exe
Token: SeChangeNotifyPrivilege	2440	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2440	msdcsc.exe
Token: SeUndockPrivilege	2440	msdcsc.exe
Token: SeManageVolumePrivilege	2440	msdcsc.exe
Token: SeImpersonatePrivilege	2440	msdcsc.exe
Token: SeCreateGlobalPrivilege	2440	msdcsc.exe
Token: 33	2440	msdcsc.exe
Token: 34	2440	msdcsc.exe
Token: 35	2440	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2584	iexplore.exe
Token: SeSecurityPrivilege	2584	iexplore.exe
Token: SeTakeOwnershipPrivilege	2584	iexplore.exe
Token: SeLoadDriverPrivilege	2584	iexplore.exe
Token: SeSystemProfilePrivilege	2584	iexplore.exe
Token: SeSystemtimePrivilege	2584	iexplore.exe
Token: SeProfSingleProcessPrivilege	2584	iexplore.exe
Token: SeIncBasePriorityPrivilege	2584	iexplore.exe
Token: SeCreatePagefilePrivilege	2584	iexplore.exe
Token: SeBackupPrivilege	2584	iexplore.exe
Token: SeRestorePrivilege	2584	iexplore.exe
Token: SeShutdownPrivilege	2584	iexplore.exe
Token: SeDebugPrivilege	2584	iexplore.exe
Token: SeSystemEnvironmentPrivilege	2584	iexplore.exe
Token: SeChangeNotifyPrivilege	2584	iexplore.exe
Token: SeRemoteShutdownPrivilege	2584	iexplore.exe
Token: SeUndockPrivilege	2584	iexplore.exe
Token: SeManageVolumePrivilege	2584	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DllHost.exe

pid process

2672 DllHost.exe

pid	process
2672	DllHost.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exemsdcsc.exe

description	pid	process	target process
PID 2252 wrote to memory of 2440	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe	msdcsc.exe
PID 2252 wrote to memory of 2440	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe	msdcsc.exe
PID 2252 wrote to memory of 2440	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe	msdcsc.exe
PID 2252 wrote to memory of 2440	2252	08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe	msdcsc.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe
PID 2440 wrote to memory of 2584	2440	msdcsc.exe	iexplore.exe

C:\Users\Admin\AppData\Local\Temp\08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\08cf2a748bbae2d923864859b7399b72_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252

C:\Users\Admin\AppData\Local\Temp\Dastan\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\Dastan\msdcsc.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2584

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2672

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ALI ABDOL MALEKI.JPG
Filesize
27KB

MD5
fbafe329b8cd60b05438db46d69b1a1a

SHA1
d2dd1880ffff4c04286c1d5b23f8624af6160683

SHA256
1c83b9219123e039507e6e56e56b4496bb440b8199b5ed60ade18cfaeec8849f

SHA512
83c8fd83a3765d24912e707988c2c0b5418e882cf9b734ddfc915bbe33c5c1e899f2ff84d7901ddd2bdddf26f372354ac153a71051ff729b81964e458b4b9596

Download Submit
\Users\Admin\AppData\Local\Temp\Dastan\msdcsc.exe
Filesize
848KB

MD5
08cf2a748bbae2d923864859b7399b72

SHA1
6dbaa83040a728d12a817c74708016f707f7a506

SHA256
fed56117e88f7dd3664190e9dbc2b55411efe9a793aa1a7dac358d7d34f66170

SHA512
6a358f1ff7d3a0263e52a4d5fcff7cb95141a93dbbaf509e9d9d85004ed291fbd4156a18b017d819cd9210c05c3f5ab657d92c6496610220298d11038b4e0e38

Download Submit
memory/2252-0-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/2252-5-0x0000000003F30000-0x0000000003F32000-memory.dmp

Filesize
8KB

Download
memory/2252-17-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2440-20-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2584-19-0x0000000000400000-0x00000000004E2000-memory.dmp

Filesize
904KB

Download
memory/2672-6-0x00000000001A0000-0x00000000001A2000-memory.dmp

Filesize
8KB

Download
memory/2672-7-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2672-21-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads